Search results

The purpose of this paper is to survey the status of information security awareness among college students in order to develop effective information security awareness training (ISAT).

Based on a review of the literature and theoretical standpoints as well as the National Institute of Standards and Technology Special Publication 800-50 report, the author developed a questionnaire to investigate the attitudes toward information security awareness of undergraduate and graduate students in a business college at a mid-sized university in New England. Based on that survey and the previous literature, suggestions for more effective ISAT are provided.

College students understand the importance and the need for ISAT but many of them do not participate in it. However, security topics that are not commonly covered by any installed (or built-in) programs or web sites have a significant relationship with information security awareness. It seems that students learned security concepts piecemeal from variety of sources.

Universities can assess their ISAT for students based on the findings of this study.

If any universities want to improve their current ISAT, or establish it, the findings of this study offer some guidelines.

As insiders remain to be a main reason behind security breaches, effective information security awareness campaigns become critical in protecting organizations from security incidents. The purpose of this paper is to identify factors that influence organizational adoption and acceptance of computer-based security awareness training tools.

The paper uses content analysis of online reviews of the top ten computer-based security awareness training tools that received Gartner peer insights Customers’ Choice 2019 award.

This study identifies nine critical adoption and success factors. These are synthesized into a conceptual framework based on the technology–organization–environment framework. The findings reveal that technological, organizational and environmental factors come into play in adoption decisions but with varying degrees of importance.

This study highlights key factors that technology vendors should take into consideration when designing computer-based security awareness training tools to increase adoption rates.

This research offers a novel contribution to the literature on information security awareness delivery methods by identifying key factors that influence organizational adoption and acceptance of computer-based security awareness training tools. Those factors were identified using content analysis of online reviews, which is a new methodological approach to the information security awareness literature.

The aim of this study is to encourage management boards to recognize that employees play a major role in the management of information security. Thus, these issues need to be addressed efficiently, especially in organizations in which data are a valuable asset.

Before developing the instrument for the survey, first, effective measurement built upon existing literature review was identified and developed and the survey questionnaires were set according to past studies and the findings based on qualitative analyses. Data were collected by using cross-sectional questionnaire and a Likert scale, whereby each question was related to an item as in the work of Witherspoon et al. (2013). Data analysis was done using the SPSS.3B.

Based on the results from three surveys and findings, a principle of information security compliance practices was proposed based on the authors’ proposed nine-five-circle (NFC) principle that enhances information security management by identifying human conduct and IT security-related issues regarding the aspect of information security management. Furthermore, the authors’ principle has enabled closing the gap between technology and humans in this study by proving that the factors in the present study’s finding are interrelated and work together, rather than on their own.

The main objective of this study was to address the lack of research evidence on what mobilizes and influences information security management development and implementation. This objective has been fulfilled by surveying, collecting and analyzing data and by giving an account of the attributes that hinder information security management. Accordingly, a major practical contribution of the present research is the empirical data it provides that enable obtaining a bigger picture and precise information about the real issues that cause information security management shortcomings.

In this sense, despite the fact that this study has limitations concerning the development of a diagnostic tool, it is obviously the main procedure for the measurements of a framework to assess information security compliance policies in the organizations surveyed.

The present study’s discoveries recommend in actuality that using flexible tools that can be scoped to meet individual organizational needs have positive effects on the implementation of information security management policies within an organization. Accordingly, the research proposes that organizations should forsake the oversimplified generalized guidelines that neglect the verification of the difference in information security requirements in various organizations. Instead, they should focus on the issue of how to sustain and enhance their organization’s compliance through a dynamic compliance process that involves awareness of the compliance regulation, controlling integration and closing gaps.

The rapid growth of information technology (IT) has created numerous business opportunities. At the same time, this growth has increased information security risk. IT security risk is an important issue in industrial sectors, and in organizations that are innovating owing to globalization or changes in organizational culture. Previously, technology-associated risk assessments focused on various technology factors, but as of the early twenty-first century, the most important issue identified in technology risk studies is the human factor.

The aim of this research is to make users aware of the importance surrounding the issue of security and security awareness while at the same time making educators as well as other individuals aware of the differing effects of cultural dimensions into the learning process.

An inter‐cultural study was conducted to investigate if users from the USA and Taiwan exposed to the same situational awareness learning would have different performance in those security awareness outcomes.

The findings confirm that American users who received the situational learning outperformed those users who received the traditional face‐to‐face instruction. Taiwanese users did not perform significantly differently between these two treatments.

The study was only focused on two countries and therefore may limit its implications worldwide. But the study does show that global citizens also react differently to security awareness as would be expected due to differing cultures. Certainly, awareness of the risks and safeguards is the first line of defense that can be employed by any individual, but how individuals address these risks can be very dissimilar in different cultures. Therefore, the implications are apparent that the issue of security awareness should be studied from different cultural perspectives.

This paper offers original findings and value into the investigation of whether or not situational security awareness training is culturally‐bounded.

This paper aims to follow-up on previous research by studying the degree of management commitment to information and communication technology (ICT) safety and security within network companies in the electric power supply sector, implementation of awareness creation and training measures for ICT safety and security within these companies and the relationship between these two variables.

Data were mainly collected through a survey among users of ICT systems in network companies within the Norwegian electric power supply sector. In addition, qualitative data were gathered through interviews with representatives from the regulatory authorities, and observation studies were conducted at ICT safety and security conferences.

In accordance with previous research, our survey data showed a statistically significant correlation between management commitment to ICT safety and security and implementation of awareness creation and training measures. The majority of survey respondents viewed the degree of management commitment to ICT safety and security within their own organization as high, even though qualitative studies showed contradictory results. The network companies had implemented awareness creation and training measures to a varying degree. However, interactive awareness measures were used to a lesser extent than formal one-way communication methods.

The paper provides insight into management commitment to and implementation of awareness creation and training measures for ICT safety and security within network companies.

Smart-home security involves multilayered security challenges related to smart-home devices, networks, mobile applications, cloud servers and users. However, very few studies focus on smart-home users. This paper aims to fill this gap by investigating the potential interests of adult smart-home users in cybersecurity awareness training and nonfinancial rewards that may encourage them to adopt sound cybersecurity practices.

A total of 423 smart-home users between the ages of 25 and 64 completed a survey questionnaire for this study, with 224 participants from Japan and 199 from the UK.

Cultural factors considerably influence adult smart-home users’ attitudes toward cybersecurity. Specifically, cultural differences impact their willingness to participate in cybersecurity awareness training, their views on the importance of cybersecurity training for children and senior citizens and their preference for nonfinancial rewards as an incentive for good cybersecurity behavior. These results highlight the need to consider cultural differences and their potential impact when developing and implementing cybersecurity programs that target smart-home users.

This research has two main implications. First, it provides insights for information security professionals on the importance of designing cost-effective and time-efficient cybersecurity awareness training programs for smart-home users. Second, the findings may assist governments in establishing nonfinancial incentives to encourage greater uptake of cybersecurity practices among smart-home users.

The paper investigates whether adult smart-home users are willing to spend time and money to engage in cybersecurity awareness training and to encourage their children and elderly parents to participate in training, as well. In addition, the paper examines incentives, especially nonfinancial rewards, that may motivate adult smart-home users to adopt cybersecurity behaviors at home. Furthermore, the paper analyses demographic differences among smart-home users in Japan and the UK.

The purpose of this paper is to measure and discuss the effects of an e‐learning tool aiming at improving the information security knowledge, awareness, and behaviour of employees.

The intervention study has a pre‐ and post‐assessment of knowledge and attitudes among employees. In total, 1,897 employees responded to a survey before and after the intervention. The population is divided into an intervention group and a control group, where the only thing that separates the groups is participation in the intervention (i.e. the e‐learning tool).

The study documents significant short‐time improvements in security knowledge, awareness, and behavior of members of the intervention group.

The study looks at short‐time effects of the intervention. The paper has done a follow‐up study of the long‐term effects, which is also submitted to Information Management & Computer Security.

The study can document that software that support Information Security Awareness programs have a short‐time effect on employees' knowledge, behaviour, and awareness; more interventions studies, following the same principles as presented in this paper, of other user‐directed measures are needed, to test and document the effects of different measures.

The paper is innovative in the area of information security research as it shows how the effects of an information security intervention can be measured.

This article surveys why libraries are vulnerable to social engineering attacks and how to manage risks of human-caused cyber threats on organizational level; investigates Estonian library staff awareness of information security and shares recommendations concerning focus areas that should be given more attention in the future.

The data used in this paper is based on an overview of relevant literature highlighting the theoretical points and giving the reasons why human factor is considered the weakest link in information security and cyber security and studying how to mitigate the related risks in the organisation. To perform the survey, a web questionnaire was designed which included 63 sentences and was developed based on the knowledge-attitude-behaviour (KAB) model supported by Kruger and Kearney and Human Aspects of Information Security Questionnaire (HAIS-Q) designed by Parsons et al.

The research results show that the information security awareness of library employees is at a good level; however, awareness in two focus areas needs special attention and should be improved. The output of this study is the mapping of seven focus areas of information security policy in libraries based on the HAIS-Q framework and the KAB model.

The cyber awareness of library employees has not been studied in the world using HAIS-Q and KAB model, and to the best of the authors’ knowledge, no research has been previously carried out in the Estonian library context into cyber security awareness.

The purpose of this paper is to measure and discuss the long‐term effects of an e‐learning tool aiming at improving the information security knowledge, awareness, and behaviour of employees.

The intervention study had two assessments of knowledge and attitudes among employees: one survey, one week before the intervention, and one survey eight months after the intervention. The population was divided into an intervention group and a control group, where the only separated the groups was participation in the intervention (i.e. the e‐learning tool).

The study documents that the effects of the intervention on security awareness and behavior partly remains more than half a year after the intervention, but that the detailed knowledge on information security issues diminished during the period. The study also discusses how such courseware can contribute to long‐term organizational learning compared with human interventions such as action research. Both human resource management and internal promotion are necessary input in the process to successfully educate and train employees in information security.

One weakness of concern is the low response rate of 37 in the final analysis.

The study can document that short‐time effects of software supported information security awareness on employees' knowledge, behaviour, and awareness diminish over time. It is thus important to maintain and continually perform information security awareness. More interventions studies, following the same principles as presented in this paper, of other user‐directed measures is needed, to test and document the effects of different measures.

The paper is innovative in the area of information security research as it shows how an information security intervention can be measured.

This paper aims to introduce the concept of a framework of cyber-security controls that are adaptable to different types of organisations and different types of employees. One of these adaptive controls, namely, the mode of training provided, is then empirically tested for its effectiveness.

In total, 1,048 working Australian adults completed the human aspects of the information security questionnaire (HAIS-Q) to determine their individual information security awareness (ISA). This included questions relating to the various modes of cyber-security training they had received and how often it was provided. Also, a set of questions called the cyber-security learning-styles inventory was used to identify their preferred learning styles for training.

The extent to which the training that an individual received matched their learning preferences was positively associated with their information security awareness (ISA) level. However, the frequency of such training did not directly predict ISA levels.

Further research should examine the influence of matching cyber-security learning styles to training packages more directly by conducting a controlled trial where the training packages provided differ only in the mode of learning. Further research should also investigate how individual tailoring of aspects of an adaptive control framework (ACF), other than training, may improve ISA.

If cyber-security training is adapted to the preferred learning styles of individuals, their level of ISA will improve, and therefore, their non-malicious behaviour, whilst using a digital device to do their work, will be safer.

A review of the literature confirmed that ACFs for cyber-security does exist, but only in terms of hardware and software controls. There is no evidence of any literature on frameworks that include controls that are adaptable to human factors within the context of information security. In addition, this is the first study to show that ISA is improved when cyber-security training is provided in line with an individual’s preferred learning style. Similar improvement was not evident when the training frequency was increased suggesting real-world improvements in ISA may be possible without increasing training budgets but by simply matching individuals to their desired mode of training.